From: Amy Griffis <amy.griffis@hp.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: redhat-lspp <redhat-lspp@redhat.com>, linux-audit@redhat.com
Subject: Re: inotify_rm_watch behavior
Date: Mon, 11 Sep 2006 15:34:51 -0400 [thread overview]
Message-ID: <20060911193450.GA2542@fc.hp.com> (raw)
In-Reply-To: <1158002159.5960.118.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote: [Mon Sep 11 2006, 03:15:59PM EDT]
> On Mon, 2006-09-11 at 14:49 -0400, Amy Griffis wrote:
> > Eduardo Madeira Fleury wrote: [Mon Sep 11 2006, 02:05:24PM EDT]
> > > I'm doing some tests and currently inotify_rm_watch is not performing any
> > > permission checks, i.e., an ordinary user can remove a watch set by root on a
> > > file with root:root 400 permission.
> > >
> > > Is this the expected behavior? Seems like neither MAC nor MLS checks are being
> > > done.
> >
> > Yes. As I understand it, an inotify watch is not a data object, and
> > so does not require DAC or MAC checks.
>
> Not sure I follow the rationale for MAC. Process in security context C1
> creates an inotify instance, adds some watches to files/directories it
> can read (read permission checked between C1 and file context upon
> inotify_add_watch), provides the instance descriptor to a process in
> security context C2 via execve inheritance or local IPC. Process in
> security context C2 can now read events on those watched
> files/directories even if it lacks direct read permission to them and
> can add and remove watches on the inotify instance, indirectly signaling
> the C1 process via the shared inotify instance.
>
> All of which would be avoided if the MLS policy included a constraint on
> fd use permission, thereby preventing such sharing of inotify instances
> among processes in different levels except for trusted subjects or
> objects identified by a type attribute.
Agreed. I was trying to say that there shouldn't be a constraint on
the inotify watch itself. Until I saw your mail, I wasn't aware that
there aren't currently any constraints on sharing inotify instances.
Amy
next prev parent reply other threads:[~2006-09-11 19:34 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-11 18:05 inotify_rm_watch behavior Eduardo Madeira Fleury
2006-09-11 18:48 ` Stephen Smalley
2006-09-11 18:49 ` Amy Griffis
2006-09-11 19:15 ` Stephen Smalley
2006-09-11 19:34 ` Amy Griffis [this message]
2006-09-12 13:45 ` Stephen Smalley
2006-09-12 14:09 ` [redhat-lspp] " Darrel Goeddel
2006-09-12 14:10 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060911193450.GA2542@fc.hp.com \
--to=amy.griffis@hp.com \
--cc=linux-audit@redhat.com \
--cc=redhat-lspp@redhat.com \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).